AuthN support for S3 Compat Clients

[chiefMarlin]

Hi, I am looking for a way to secure access to s3 buckets at http://localhost:51080 -> ais://abc, looking over the below docs i dont see any references on how to do this. https://github.com/NVIDIA/aistore/blob/main/docs/s3compat.md https://github.com/NVIDIA/aistore/blob/main/docs/s3cmd.md#2-how-to-have-s3cmd-calling-ais-endpoint

I have also tried adding authn server however that still permits access with any supplied credentials when testing with aws cli.

Purpose is to use aistore as s3 server and access it with s3 compatible clients.

Thanks

[gaikwadabhishek]

Hey @chiefMarlin,

Are you running the AIStore cluster locally? If so, have you configured AIStore with an AWS backend? When prompted during the make deploy process, make sure to select y for AWS integration. This setup will automatically use the AWS credentials stored in your .aws/ directory.

To list all remote buckets, you can use the following command:

$ ais ls --all

[chiefMarlin]

Hi I am not trying to use AWS as backend, rather im using local disk as backend and accessing aistore via s3 compat client. Im running docker example here https://github.com/NVIDIA/aistore/tree/main/deploy/prod/docker/single with authn along side.

Im trying to use this as s3 storage server.

[alex-aizman]

just out of curiosity - what are you trying to do? Asking also because all-in-one docker image that we provide is there mostly for first-time users (e.g., to play with CLI) and demonstration purposes.

[chiefMarlin]

Hi Alex, I've only discovered this project yesterday and so far im testing out the basic features set, next up is scaling across servers/mirror and stress testing. My use case is primarily to replace MinIO as s3 server, as part of that im hoping to have it scale across multiple machines within same dc. I am also interested in seeing how well geo mirroring works.

[gaikwadabhishek]

Hey @chiefMarlin,

To access local ais buckets on a s3 compatible client, append /s3 to the URL—this should work perfectly.

Here's what I did to verify:

I had a cluster running with both S3 and AIS buckets. Using the AWS CLI, I was able to access it as follows:

$ aws s3 ls --endpoint=http://<aistore-endpoint>:51080/s3
# This lists all S3, GCP, and AIS buckets

$ aws s3 ls <ais-bucket-name> --endpoint=http://<aistore-endpoint>:51080/s3
# This lists all objects within that specific AIS bucket

Let me know if you run into any issues!

[chiefMarlin]

@gaikwadabhishek @alex-aizman I am looking to add authentication to the s3 access to prevent anyone and everyone from accessing any bucket they want. This is a trivial feature that any s3 server comes with. In all of the examples provided, including yours, no authentication for s3 buckets are required and i dont see any mention on how to enable this. As i mentioned, i tried adding authn server and that worked for securing access using "ais" tool but not compat s3 client.

I hope this clears it up.

[gaikwadabhishek]

I see. I tried it myself and debugged a bit -

s3cmd --debug ls s3://nnn --add-header="Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI6dHJ1ZSwiZXhwaXJlcyI6IjIwMjQtMDgtMTBUMTA6NDY6MzQuMjk1MDA3NTIyLTA3OjAwIiwidXNlcm5hbWUiOiJhZG1pbiJ9.gS2JNSzCYcxuhu8hkIVA41Chi1kG1O-Rtb1pxOgilE4"

This doesn't work as s3cmd is not allowing me to change the Authorization header -

DEBUG: Response:
{'data': b'<?xml version="1.0" encoding="UTF-8"?>\n<Error><Code>Authorizatio'
         b'nHeaderMalformed</Code><Message>The authorization header is malforme'
         b"d; the region 'us-east-1' is wrong; expecting 'ap-southeast-1'</Mess"
         b'age><Region>ap-southeast-1</Region><RequestId>A9CXDVTCWHW1GF0J</Requ'
         b'estId><HostId>Pq/VO2hy1s+23GBhVKXqL9j1DBYTFXjAqW+aLB2i3j6z6jxU8Ah/dE'
         b'WfJaguRdL3p9PhpXvOQnA=</HostId></Error>',
 'headers': {'connection': 'close',
             'content-type': 'application/xml',
             'date': 'Fri, 09 Aug 2024 18:04:30 GMT',
             'server': 'AmazonS3',
             'transfer-encoding': 'chunked',
             'x-amz-bucket-region': 'ap-southeast-1',
             'x-amz-id-2': 'Pq/VO2hy1s+23GBhVKXqL9j1DBYTFXjAqW+aLB2i3j6z6jxU8Ah/dEWfJaguRdL3p9PhpXvOQnA=',
             'x-amz-request-id': 'A9CXDVTCWHW1GF0J'},
 'reason': 'Bad Request',
 'status': 400}

This will require a fix on s3cmd side or we will need to work on some changes on the aistore side. We are open to suggestions let us know if you could help us on this one.